% PPI Presentation Template, By Wang Yuanxuan <zellux at gmail dot gmail>

\documentclass{beamer}
% \usetheme{Warsaw}
% \usetheme{Darmstadt}
\mode<presentation>
\usetheme{boxes}
\useoutertheme{smoothbars}
\useinnertheme[shadow=true]{rounded}
% \usecolortheme{orchid}
\usecolortheme{whale}
\usecolortheme{orchid}

\addfootbox{section in head/foot}{\tiny\quad\color{white}\insertshorttitle}
\addfootbox{frametitle}{\tiny\color{white}\hfill Parallel Processing Institute, Fudan University\hfill}
\addfootbox{section in head/foot}{\tiny\color{white}\hfill Slide
  \insertframenumber\ of \inserttotalframenumber\quad}

% Section outline at the beginning of each section
\AtBeginSection{
  \begin{frame}
   \frametitle{Outline}
    \tableofcontents[sectionstyle=show/hide,subsectionstyle=show/show/hide]{}
 \end{frame}
}

\usepackage{graphicx}
\usepackage{listings}

\title[BluePrint]  % short title displayed in the bottom line
  {BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers}
\author{Aayush Gupta \quad Youngjae Kim}
\institute{Department of Computer Science, University of Illinois at Chicago}
\date{IEEE S\&P 2009}

\begin{document}

\begin{frame}
  \titlepage{}
  \begin{center}
      Presented by Wang Yuanxuan
  \end{center}
\end{frame}

\begin{frame}
  \frametitle{Outline}
  \tableofcontents[hideallsubsections]
\end{frame}

\section{Introduction}

\subsection{XSS Attacks}

\begin{frame}
  \frametitle{Number-one security threat}
  \begin{itemize}
  \item Injection of unauthorized script code into a web page
  \item Victims include Fackbook, LiveJournal, MySpace, and Xiaonei
  \item Can be self-propagating (Samy worm)
  \end{itemize}
\end{frame}

\subsection{Defense Approaches}
\begin{frame}[containsverbatim]
  \frametitle{Content Filtering}
  \begin{itemize}
  \item Process on \textbf{application server}
  \item Remove potentially malicious data or instructions from user input
  \item Difficult to distinguish scripts from text formatting code
  \end{itemize}
  \begin{block}{XSS Example}
    {\small
\begin{verbatim}
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;
&#116;&#58;&#97;&#108; &#101;&#114;&#116;&#40;&#39;&#88;&#83;
&#83;&#39;&#41;>
\end{verbatim}
    }
  \end{block}
\end{frame}

\begin{frame}
  \frametitle{Browser Collaboration}
  \begin{itemize}
  \item Hard to distinguish authorized from unauthorized scripts
  \item Need application's guidance
  \end{itemize}
\end{frame}

\section{Approach}
\subsection{Overview}
\begin{frame}
  \begin{block}{Obstacle}
    Browser and application should have the same understanding of the divide
  \end{block}
  \begin{block}{Approach}
    Enforce the application's understanding of web content on the browser
  \end{block}
\end{frame}

\begin{frame}
  \begin{center}
    \includegraphics[height=\textheight]{html-path.jpg}
  \end{center}
\end{frame}

\subsection{Main Idea}

\begin{frame}
  \frametitle{Eliminating dependence}
  \begin{problem}
    After supplying untrusted HTML via path $\alpha$, the web
    application cannot further control parsing
  \end{problem}
  \begin{solution}
    Eliminate the use of path $\beta$ and derive an alternative path
    to render untrusted content
  \end{solution}
  \begin{block}{How?}
    Build the tree by DOM API (JavaScript)
  \end{block}
\end{frame}

\begin{frame}
  \frametitle{Steps}
  \begin{enumerate}
  \item Generate a parse tree from untrusted HTML \emph{on the app server}
  \item Ensure the parse tree contains no dynamic content (script) nodes
  \item Convey the generated parse tree to the browser's document generator
  \end{enumerate}
\end{frame}

\subsection{Transport}

\begin{frame}
  \frametitle{Reliable transport}
  \begin{itemize}
  \item Encode untrusted data, and then pass to the client
  \item Decode data on the client
  \end{itemize}
\end{frame}

\section{Example}

\subsection{HTML Blog Comment}

\begin{frame}[containsverbatim]
  \frametitle{Benign HTML blog comment}
\begin{verbatim}
1  <p>
2    Here is a page you might find
3    <b>very</b>
4    interesting:
5    <a href="http://www.cpsr.org">
6    Link</a>
7  </p><p style="text-align: right;">
8    Respectfully,
9    Alice
10 </p>
\end{verbatim}
\end{frame}

\begin{frame}[containsverbatim]
  \frametitle{Malicious HTML blog comment}
\begin{verbatim}
1  <p>
2    Here is a page you might find
3    <b """><script>doEvil(. . .)</script>">very</b>
4    interesting:
5    <a href=" &#14; javasc&#x0A;ript:doEvil(. . .);">
6    Link</a>
7  </p><p style="nop:expres/*xss*/sion(doEvil(. . .))">
8    Respectfully,
9    Eve
10 </p>
\end{verbatim}
\end{frame}

\begin{frame}
  \frametitle{HTML Model}
  \begin{center}
    \includegraphics[width=\textwidth]{model.jpg}
  \end{center}
\end{frame}

\subsection{Encoding \& Decoding}

\begin{frame}[containsverbatim]
  \frametitle{Encoded static model}
\begin{verbatim}
1 <code style="display:none;" id="__bp1">
2   =Enk/sCkhlcmUgaXMgYSBwYWdlIHlvdSBta. . .
3   =SkKICAgICI+dmVyeQ===C/k/QIGhlbHBmd. . .
4   =ECg===C/Enk/gCiAgUmVzcGVjdGZ1bGx5L. . .
5 </code><script id="__bp1s">
6   __bp__.cxPCData("__bp1", "__bp1s");
7 </script>
\end{verbatim}
\end{frame}

\begin{frame}
  \frametitle{Client-side model interpreter}
  \begin{itemize}
  \item Decode models using trusted JavaScript code (15.6kB)
  \item Construct the parse trees using a small set of DOM interfaces
    \begin{itemize}
    \item document.createElement()
    \item document.getElementById()
    \item element.appendChild()
    \item element.setAttribute()
    \item etc.
    \end{itemize}
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Model embedding strategies}
  \begin{itemize}
  \item Embedded as text content in a \textbf{code} element
  \item Employ Base64 alphabet to encode, which is syntactically inert
  \end{itemize}
\end{frame}

\section{Evaluation}

\subsection{Effectiveness}

\begin{frame}
  \frametitle{Defence effectiveness}
  \begin{tabular}{|c|c|c|}
    \hline
    Type of attack & \# of variations & \# defended \\ \hline \hline
    Cross-site scripting & 94 & 94 \\ \hline
    Other (non-XSS) & 18 & 0 \\ \hline
    Informational & 1 & 0 \\ \hline \hline
    Total & 113 & 94 \\ \hline
  \end{tabular}
  Tested with XSS Cheat Sheet (113 entries)
\end{frame}

\subsection{Overhead}

\begin{frame}
  \frametitle{Memory overhead}
  \begin{center}
    \includegraphics[width=\textwidth]{memory.jpg}
  \end{center}
\end{frame}

\begin{frame}
  \frametitle{Page generation overhead}
  \begin{center}
    \includegraphics[width=\textwidth]{page-gen.jpg}
  \end{center}
  Redundant built-in HTML parsing and sanitization
\end{frame}

\begin{frame}
  \frametitle{Page rendering overhead}
  \begin{center}
    \includegraphics[width=\textwidth]{render.jpg}
  \end{center}
  A user may take several tens of minutes to read a blog article
\end{frame}

\section{Conclusions}

\begin{frame}
  \frametitle{BluePrint}
  \begin{itemize}
  \item Robust prevention approach to cross-site scripting attacks
  \item Reduce the web app's dependency on browser parsers
  \item A prototype implementation can be downloaded
  \end{itemize}
\end{frame}

\end{document}
